b'                                          June 7, 2005\n\n\n\n\nMEMORANDUM TO:              Luis A. Reyes\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum/RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    MEMORANDUM REPORT: AUDIT OF NRC\xe2\x80\x99S\n                            POLICY AND PRACTICES CONCERNING CAMERA\n                            CELL PHONES (OIG-05-A-12)\n\n\nAs part of the Office of the Inspector General\xe2\x80\x99s (OIG) audit of NRC\xe2\x80\x99s\ntelecommunications program, OIG identified a problem outside the scope of the\naudit that warrants your attention. Specifically, NRC lacks a camera cell phone\npolicy to:\n\n   \xc2\xbe Establish requirements for Office of Information Services (OIS) acquisition\n     of camera cell phones for use by employees.\n\n   \xc2\xbe Remind employees and visitors that the prohibition against taking\n     photographs in NRC buildings also applies to camera cell phones.\n\n   \xc2\xbe Provide security guards with guidance on the handling of camera cell\n     phones brought to the building by visitors.\n\nFurthermore, the agency is not enforcing its current policy toward visitors with\ncameras. This increases the risk that the agency\xe2\x80\x99s classified and sensitive\ninformation could be deliberately or inadvertently made public or otherwise\ncompromised.\n\nBackground\n\nCamera cell phones, if misused, pose security and privacy threats because they\nenable people to covertly photograph images or scenes and transmit them\nimmediately to the Internet. Since 2000, when camera cell phones were\nintroduced, individuals have misused the devices in various ways, including\nsecretly taking revealing pictures of people in locker rooms, cheating during\n\x0c                                    Audit of NRC\xe2\x80\x99s Policy and Practices Concerning Camera Cell Phones\n\n\n\ntests, and committing credit card theft. In addition, security professionals have\nidentified the potential for other abuses, such as Government and industrial\nespionage.\n\nThe Federal Government, companies, schools, health clubs, and other entities\nare taking various steps to deal with the security and privacy threats posed by\ncamera cell phones and other new wireless devices with photographic\ncapabilities. On December 23, 2004, President Bush signed the Video\nVoyeurism Prevention Act of 2004. This law made it a crime to knowingly\nphotograph, videotape, or record by any means an image of a private area of an\nindividual without their consent on Federal property where the individual has a\nreasonable expectation of privacy. Punishment would include fines of up to\n$100,000 or up to a year in prison, or both. Some Government offices that\nhandle classified information, companies, health clubs, and high schools have\nbanned or restricted the use of camera cell phones on their premises.\n\nDue to the growing popularity of camera cell phones, security professionals have\nurged companies and agencies to establish policies and restrictions on the use of\ncamera cell phones and to ensure employee awareness of these rules.\n\nApproximately 20 percent of U.S. cell phone users had camera cell phones\nduring 2004 and, according to analysts, by 2006, 80 percent of the cell phones\nsold in the U.S. will be camera phones.\n\nNRC Needs To Develop a Camera Phone Policy and Better Enforce Its\nCamera Policy\n\nGuidance on Cameras\n\nManagement Directive (MD) and Handbook 12.1, NRC Facility Security Program,\npermit visitors and employees to bring personal cameras into NRC buildings, but\nprohibit the use of these devices to take pictures inside NRC buildings without\npermission from the Director, Division of Facilities and Security, or, in some\ncases, from the Director, Office of Public Affairs. This guidance, revised on\nApril 14, 2004, represents a departure from the language contained in an earlier\nversion of the MD and Handbook that prohibited employees and visitors from\nbringing cameras into the buildings without approval. MD and Handbook 12.1\nalso permit the use of NRC-owned photographic equipment within NRC facilities\nto conduct official NRC business, however, such use is prohibited in security\nareas1 and other locations where it could result in the compromise of classified or\nsensitive unclassified information.\n\n\n\n\n1\n  According to MD and Handbook 12.1, a security area is a physically defined space (usually a\nroom, or a series of interconnecting rooms, within a facility) containing classified information and\nsubject to physical protection and personnel access controls.\n\n                                                  2\n\x0c                              Audit of NRC\xe2\x80\x99s Policy and Practices Concerning Camera Cell Phones\n\n\n\nVisitors and Employees Unaware\n\nNRC has not ensured that employees and visitors understand that NRC\xe2\x80\x99s\ngeneral prohibition against taking photographs within agency facilities also\napplies to camera cell phones. Similarly, the agency has not ensured that\nemployees are aware of vulnerabilities associated with the use of camera cell\nphones.\n\n       Camera Phone Purchase Request\n\nRecently, an NRC official requested that OIS provide the official with a camera\ncell phone. In the past, OIS typically accommodated all requests for cell phones,\nso this created a challenge for OIS, which ultimately denied the request for\nsecurity reasons. Camera cell phones are small, easy to use, and provide\nimmediate images that can be transmitted instantly to the Internet for widespread\ndissemination. Careless use can compromise classified or sensitive information\nor even physical security measures used to protect NRC facilities.\n\nOIS officials said that the lack of guidance on camera cell phones required them\nto seek advice from an agency security official on the security vulnerabilities\nposed by these devices. OIS officials said that denying the request was\nsomewhat awkward because of the past practice of accommodating requests.\nOIS officials held discussions with the requestor to explain the security\nvulnerabilities associated with having the camera feature on the cell phone. This\nsituation highlights the need for a policy stipulating the conditions for granting or\ndenying requests for camera cell phones and informing staff of the risks posed by\nthese devices. According to an OIS manager, such a policy would need to go\nbeyond camera cell phones and address other wireless devices with\nphotographic capabilities, such as some types of personal digital assistants.\n\n       Personal Camera Cell Phones\n\nEmployees may similarly be unaware of the risks posed by their personal camera\ncell phones. These phones are an emerging technology and more and more\nemployees are likely to have personal camera cell phones as time goes by.\nEmployees who might not otherwise consider taking a picture within the agency\nmay be tempted to do so because of the camera cell phone\xe2\x80\x99s convenience.\n\n       Security Guards\n\nSecurity guards impose no requirements on visitors with camera cell phones and\nimpose inconsistent requirements on visitors with cameras that are not in\naccordance with the requirements in MD and Handbook 12.1. Guards in both\n\n\n\n\n                                           3\n\x0c                               Audit of NRC\xe2\x80\x99s Policy and Practices Concerning Camera Cell Phones\n\n\n\nbuildings recognized the risks posed by camera cell phones, but said NRC has\nnot issued instructions to them on how to deal with visitors who have these\nphones. Therefore, they do not try to determine if visitors have these phones\nand would not take any special measures even if they knew a visitor had one.\n\nAuditors also determined that security guards in the two headquarters buildings\nare imposing different requirements on visitors with cameras. In neither case are\nthe requirements imposed in accordance with MD 12.1. In the Two White Flint\nNorth headquarters building lobby, guards act on outdated guidance by\nconfiscating cameras from visitors entering the building. Visitors may read this\nprohibition, which appears on a guard desk sign that lists prohibited articles,\nincluding cameras. However, guards in the One White Flint North headquarters\nbuilding lobby allow visitors to keep their cameras with them provided their escort\nhas been notified about the camera. A sign in this building states cameras are\npermitted with authorization, although OIG notes that MD and Handbook 12.1\nmake no mention of a need for such authorization.\n\n\n\n\nTwo White Flint North lobby sign                One White Flint North lobby sign\n\n\n\nLack of Policy\n\nEmployees may be unaware of the vulnerabilities posed by camera cell phones\nand the prohibition against taking photographs in NRC buildings because there is\nno policy on wireless devices with photographic capability, including camera cell\nphones, and because the prohibition against taking photographs is not well\npublicized. The prohibition is mentioned within MD and Handbook 12.1 as part of\na discussion of physical security requirements for the protection of classified\ninformation, but is not likely to be read by all or most employees. New employees\n\n\n\n\n                                            4\n\x0c                              Audit of NRC\xe2\x80\x99s Policy and Practices Concerning Camera Cell Phones\n\n\n\nare even less likely to be aware of the prohibition because they are not briefed at\nthe new employee orientation on the prohibition against taking photographs in\nthe NRC buildings. At the time of this audit, OIS was working to develop a policy\non wireless devices.\n\nVisitors are also unlikely to be aware of NRC\xe2\x80\x99s expectations concerning camera\ncell phones because NRC has not directed security guards to try to identify these\nphones, caution visitors about these phones, or take some other measure to\nensure that the NRC photography policy is enforced.\n\nDeliberate or careless use of camera cell phones can compromise classified or\nsensitive information or even physical security measures used to protect NRC\nfacilities. These phones provide immediate images that can be transmitted\ninstantly to the Internet for widespread dissemination. The growing popularity of\ncamera cell phones highlights the need to heighten employee and visitor\nawareness about NRC\xe2\x80\x99s prohibition against photographs inside agency facilities.\n\nBy implementing a camera cell phone policy that addresses camera cell phones\nand clarifies agency requirements concerning cameras in general, and\nconsistently implementing its overall camera policy, NRC will strengthen its\nprotection against information and physical security threats.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n   1. Develop a policy that (a) establishes requirements for OIS acquisition of\n      camera cell phones and other wireless devices with photographic\n      capability for employee use, (b) conveys that NRC\xe2\x80\x99s prohibition against\n      taking photographs in NRC buildings also applies to camera cell phones,\n      and (c) communicates NRC\xe2\x80\x99s expectations concerning visitors with\n      camera cell phones.\n\n   2. Issue a Yellow Announcement to remind employees of the NRC\n      prohibition against using any type of device to take pictures inside NRC\n      buildings.\n\n   3. Inform new employees of the prohibition against taking photographs with\n      any type of device inside NRC buildings during the new employee\n      orientation.\n\n   4. Inform visitors of the prohibition against taking pictures with any device\n      inside NRC buildings through the display of posters at the building,\n      auditorium, and meeting room entrances.\n\n   5. Include, in the security guard orders, instructions for the security guards to\n      use in handling visitors with camera cell phones.\n\n                                           5\n\x0c                             Audit of NRC\xe2\x80\x99s Policy and Practices Concerning Camera Cell Phones\n\n\n\nAgency Comments\n\nDuring an exit conference held May 18, 2005, agency managers generally\nagreed with the report\xe2\x80\x99s findings and recommendations and provided a comment\nconcerning the draft audit report. We modified the report as we determined\nappropriate in response to this comment. NRC reviewed these modifications and\nopted not to submit formal written comments to this final version of the report.\n\nScope/Contributors\n\nTo accomplish this limited scope review assessing the agency\xe2\x80\x99s policies and\nprocedures to prevent inappropriate use of camera cell phones in its\nheadquarters facilities, auditors reviewed relevant criteria such as the current\nversion of MD and Handbook 12.1, NRC Facility Security Program (dated April\n14, 2004). Auditors also reviewed the prior version of MD and Handbook 12.1\n(dated October 16, 2000) to assess the changes reflected in the updated\nguidance and, for comparison purposes, a Department of Defense Directive,\ndated April 14, 2004, concerning use of commercial wireless devices.\n\nAuditors interviewed security guards in the One and Two White Flint North\nlobbies to learn what practices they employ toward visitors with cameras and\ncamera cell phones. They also interviewed OIS officials and an official from the\nOffice of Administration to obtain their perspectives on whether NRC should\npurchase camera cell phones for use by employees.\n\nThis work was conducted over a 2-week period during the month of April 2005 in\naccordance with generally accepted Government auditing standards and\nincluded a review of management controls related to the audit objective. The\nwork was conducted by Beth Serepca, Team Leader; Shyrl Coker, Audit\nManager; and Judy Gordon, Audit Manager.\n\nPlease provide information on the actions taken in response to the\nrecommendations directed to your office by July 18, 2005. Actions taken or\nplanned are subject to OIG followup. See Attachment for instructions for\nresponding to OIG report recommendations.\n\nIf you have any questions or concerns regarding this report, please contact me at\n415-5915 or Beth Serepca at 415-5911.\n\ncc:   Chairman Diaz\n      Commissioner McGaffigan\n      Commissioner Merrifield\n      Commissioner Jaczko\n      Commissioner Lyons\n\n\n\n\n                                          6\n\x0c                            Audit of NRC\xe2\x80\x99s Policy and Practices Concerning Camera Cell Phones\n\n\n\nDistribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nHubert T. Bell, Inspector General\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nWilliam N. Outlaw, Acting Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research, State\n  and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nFrank J. Congel, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Acting Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\n\n\n\n                                         7\n\x0c'